tags 605157 + patch thanks Jakub Wilk <jw...@debian.org> writes:
> tags 605157 - patch > thanks > > * Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com>, 2010-12-03, 22:37: >>With my patch applied the resulting /usr/bin/caldavd has: >> >>PYTHONPATH="/usr/lib/twisted-calendarserver/lib/python2.6/site-packages/:+:$PYTHONPATH" > > So if PYTHONPATH was originally empty or unset, this expands to: > PYTHONPATH=/usr/lib/twisted-calendarserver/lib/python2.6/site-packages/:+: > > Err, that's wrong.
You are right. That is wrong. But it's not doing that. It does this in
sh scripts:
export PYTHONPATH=`${python} -c 'import sys; print
"/usr/lib/twisted-calendarserver/lib/python%s/site-packages" %
(sys.version[:3])'`
and in py scripts:
PYTHONPATH = "/usr/lib/twisted-calendarserver/lib/python%s/site-packages" %
(sys.version[:3])
So these are fine. The setup.py was rewriting:
#PATH
#PYTHONPATH
in all sh/python scripts to paths that include calendarserver
stuff. setup.py substituted #PYTHONPATH in an insecure way. Currently it
was only used in caldavd, but not needed at all.
I have tested this by running calendarserver with & without new patch
and I can add/retrieve calendar events over the network using
thunderbird-lightning.
With regards,
Dmitrijs.
pgpnxfCVpzkD8.pgp
Description: PGP signature
=== modified file 'debian/changelog'
--- calendarserver-2.4.dfsg-2/debian/changelog 2010-08-25 15:23:37 +0000
+++ calendarserver-2.4.dfsg-2.1/debian/changelog 2010-12-10 00:54:12 +0000
@@ -1,3 +1,11 @@
+calendarserver (2.4.dfsg-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Do not set PYTHONPATH env var, not needed (Closes: #605166, #605157)
+ * Prevent setup.py from automagically setting #PYTHONPATH in an insecure way
+
+ -- Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com> Fri, 03 Dec 2010 21:28:40 +0000
+
calendarserver (2.4.dfsg-2) unstable; urgency=low
* Removed Uploaders field in debian/changelog
=== added file 'debian/patches/secure-python-path.patch'
--- calendarserver-2.4.dfsg-2/debian/patches/secure-python-path.patch 1970-01-01 00:00:00 +0000
+++ calendarserver-2.4.dfsg-2.1/debian/patches/secure-python-path.patch 2010-12-10 00:52:31 +0000
@@ -0,0 +1,64 @@
+Removes setting PYTHONPATH in an insecure way, not needed on Debian.
+Removes "rewritting" rules from setup.py that did that.
+Index: b/setup.py
+===================================================================
+--- a/setup.py 2010-12-09 19:21:45.000000000 -0500
++++ b/setup.py 2010-12-09 19:22:25.000000000 -0500
+@@ -125,43 +125,3 @@
+ if root:
+ install_lib = install_lib[len(root):]
+
+- for script in dist.scripts:
+- scriptPath = os.path.join(install_scripts, os.path.basename(script))
+-
+- print "rewriting %s" % (scriptPath,)
+-
+- script = []
+-
+- fileType = None
+-
+- for line in file(scriptPath, "r"):
+- if not fileType:
+- if line.startswith("#!"):
+- if "python" in line.lower():
+- fileType = "python"
+- elif "sh" in line.lower():
+- fileType = "sh"
+-
+- line = line.rstrip("\n")
+- if fileType == "sh":
+- if line == "#PYTHONPATH":
+- script.append('PYTHONPATH="%s:$PYTHONPATH"' % (install_lib,))
+- elif line == "#PATH":
+- script.append('PATH="%s:$PATH"' % (os.path.join(base, "bin"),))
+- else:
+- script.append(line)
+-
+- elif fileType == "python":
+- if line == "#PYTHONPATH":
+- script.append('PYTHONPATH="%s"' % (install_lib,))
+- elif line == "#PATH":
+- script.append('PATH="%s"' % (os.path.join(base, "bin"),))
+- else:
+- script.append(line)
+-
+- else:
+- script.append(line)
+-
+- newScript = open(scriptPath, "w")
+- newScript.write("\n".join(script))
+- newScript.close()
+Index: b/bin/caldavd
+===================================================================
+--- a/bin/caldavd 2010-12-09 19:21:51.000000000 -0500
++++ b/bin/caldavd 2010-12-09 19:22:41.000000000 -0500
+@@ -16,9 +16,6 @@
+ # limitations under the License.
+ ##
+
+-#PATH
+-#PYTHONPATH
+-
+ daemonize="";
+ username="";
+ groupname="";
=== modified file 'debian/patches/series'
--- calendarserver-2.4.dfsg-2/debian/patches/series 2010-08-25 15:23:37 +0000
+++ calendarserver-2.4.dfsg-2.1/debian/patches/series 2010-12-10 00:52:31 +0000
@@ -2,3 +2,4 @@
ldapdirectory.patch
paths.diff
linux-xattr-fix.patch
+secure-python-path.patch
